mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 13:27:23 +00:00
Merge branch 'release-win11-2309' of github.com:MicrosoftDocs/windows-docs-pr into pm-2309-8138336-whfb-passwordless
This commit is contained in:
commit
f49888d4a3
@ -2,6 +2,15 @@
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## Week of September 11, 2023
|
||||||
|
|
||||||
|
|
||||||
|
| Published On |Topic title | Change |
|
||||||
|
|------|------------|--------|
|
||||||
|
| 9/11/2023 | [Configure education themes for Windows 11](/education/windows/edu-themes) | modified |
|
||||||
|
| 9/11/2023 | [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in) | modified |
|
||||||
|
|
||||||
|
|
||||||
## Week of September 04, 2023
|
## Week of September 04, 2023
|
||||||
|
|
||||||
|
|
||||||
|
@ -9037,7 +9037,7 @@ Profile example
|
|||||||
<NativeProtocol>
|
<NativeProtocol>
|
||||||
<Type>Sstp</Type>
|
<Type>Sstp</Type>
|
||||||
</NativeProtocol>
|
</NativeProtocol>
|
||||||
<RetryTimeinHours>168</RetryTimeinHours>
|
<RetryTimeInHours>168</RetryTimeInHours>
|
||||||
</ProtocolList>
|
</ProtocolList>
|
||||||
<Authentication>
|
<Authentication>
|
||||||
<UserMethod>Eap</UserMethod>
|
<UserMethod>Eap</UserMethod>
|
||||||
|
@ -5,14 +5,14 @@ manager: aaroncz
|
|||||||
ms.author: frankroj
|
ms.author: frankroj
|
||||||
ms.prod: windows-client
|
ms.prod: windows-client
|
||||||
author: frankroj
|
author: frankroj
|
||||||
ms.date: 11/01/2022
|
ms.date: 09/18/2023
|
||||||
ms.topic: article
|
ms.topic: article
|
||||||
ms.technology: itpro-deploy
|
ms.technology: itpro-deploy
|
||||||
---
|
---
|
||||||
|
|
||||||
# Exclude files and settings
|
# Exclude files and settings
|
||||||
|
|
||||||
When you specify the migration .xml files, `MigApp.xml`, `MigDocs.xml`, and `MigUser.xml`, the User State Migration Tool (USMT) 10.0 migrates the settings and components listed, as discussed in [What does USMT migrate?](usmt-what-does-usmt-migrate.md) You can create a custom .xml file to further specify what to include or exclude in the migration. In addition you can create a `Config.xml` file to exclude an entire component from a migration. You can't, however, exclude users by using the migration .xml files or the `Config.xml` file. The only way to specify which users to include and exclude is by using the user options on the command line in the ScanState tool. For more information, see the [User options](usmt-scanstate-syntax.md#user-options) section of the [ScanState syntax](usmt-scanstate-syntax.md) article.
|
When you specify the migration .xml files, `MigApp.xml`, `MigDocs.xml`, and `MigUser.xml`, the User State Migration Tool (USMT) 10.0 migrates the settings and components listed, as discussed in [What does USMT migrate?](usmt-what-does-usmt-migrate.md) You can create a custom .xml file to further specify what to include or exclude in the migration. In addition, you can create a `Config.xml` file to exclude an entire component from a migration. You can't, however, exclude users by using the migration .xml files or the `Config.xml` file. The only way to specify which users to include and exclude is by using the user options on the command line in the ScanState tool. For more information, see the [User options](usmt-scanstate-syntax.md#user-options) section of the [ScanState syntax](usmt-scanstate-syntax.md) article.
|
||||||
|
|
||||||
Methods to customize the migration and include and exclude files and settings include:
|
Methods to customize the migration and include and exclude files and settings include:
|
||||||
|
|
||||||
@ -33,7 +33,8 @@ We recommend that you create a custom .xml file instead of modifying the default
|
|||||||
The migration .xml files, `MigApp.xml`, `MigDocs.xml`, and `MigUser.xml`, contain the **<component>** element, which typically represents a self-contained component or an application such as Microsoft® Office Outlook® and Word. To exclude the files and registry settings that are associated with these components, use the **<include>** and **<exclude>** elements. For example, you can use these elements to migrate all files and settings with pattern X except files and settings with pattern Y, where Y is more specific than X. For the syntax of these elements, see [USMT XML Reference](usmt-xml-reference.md).
|
The migration .xml files, `MigApp.xml`, `MigDocs.xml`, and `MigUser.xml`, contain the **<component>** element, which typically represents a self-contained component or an application such as Microsoft® Office Outlook® and Word. To exclude the files and registry settings that are associated with these components, use the **<include>** and **<exclude>** elements. For example, you can use these elements to migrate all files and settings with pattern X except files and settings with pattern Y, where Y is more specific than X. For the syntax of these elements, see [USMT XML Reference](usmt-xml-reference.md).
|
||||||
|
|
||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> If you specify an **<exclude>** rule, always specify a corresponding **<include>** rule. Otherwise, if you do not specify an **<include>** rule, the specific files or settings will not be included. They will already be excluded from the migration. Thus, an unaccompanied **<exclude>** rule is unnecessary.
|
>
|
||||||
|
> If you specify an **<exclude>** rule, always specify a corresponding **<include>** rule. Otherwise, if you don't specify an **<include>** rule, the specific files or settings aren't included. They're already excluded from the migration. Thus, an unaccompanied **<exclude>** rule is unnecessary.
|
||||||
|
|
||||||
- [Example 1: How to migrate all files from C:\\ except .mp3 files](#example-1-how-to-migrate-all-files-from-c-except-mp3-files)
|
- [Example 1: How to migrate all files from C:\\ except .mp3 files](#example-1-how-to-migrate-all-files-from-c-except-mp3-files)
|
||||||
|
|
||||||
@ -152,13 +153,13 @@ The following .xml file migrates all files and subfolders in `C:\EngineeringDraf
|
|||||||
|
|
||||||
### Example 5: How to exclude a file from any location
|
### Example 5: How to exclude a file from any location
|
||||||
|
|
||||||
To exclude a Sample.doc file from any location on the C: drive, use the **<pattern>** element. If multiple files exist with the same name on the C: drive, all of these files will be excluded.
|
To exclude a Sample.doc file from any location on the C: drive, use the **<pattern>** element. If multiple files exist with the same name on the C: drive, all of these files are excluded.
|
||||||
|
|
||||||
```xml
|
```xml
|
||||||
<pattern type="File"> C:\* [Sample.doc] </pattern>
|
<pattern type="File"> C:\* [Sample.doc] </pattern>
|
||||||
```
|
```
|
||||||
|
|
||||||
To exclude a Sample.doc file from any drive on the computer, use the **<script>** element. If multiple files exist with the same name, all of these files will be excluded.
|
To exclude a Sample.doc file from any drive on the computer, use the **<script>** element. If multiple files exist with the same name, all of these files are excluded.
|
||||||
|
|
||||||
```xml
|
```xml
|
||||||
<script>MigXmlHelper.GenerateDrivePatterns("* [sample.doc]", "Fixed")</script>
|
<script>MigXmlHelper.GenerateDrivePatterns("* [sample.doc]", "Fixed")</script>
|
||||||
@ -239,7 +240,7 @@ The following .xml file unconditionally excludes the `HKEY_CURRENT_USER` registr
|
|||||||
|
|
||||||
##### Example 4: How to Exclude `C:\Windows` and `C:\Program Files`
|
##### Example 4: How to Exclude `C:\Windows` and `C:\Program Files`
|
||||||
|
|
||||||
The following .xml file unconditionally excludes the system folders of `C:\Windows` and `C:\Program Files`. Note that all `*.docx`, `*.xls` and `*.ppt` files won't be migrated because the **<unconditionalExclude>** element takes precedence over the **<include>** element.
|
The following .xml file unconditionally excludes the system folders of `C:\Windows` and `C:\Program Files`. All `*.docx`, `*.xls` and `*.ppt` files aren't migrated because the **<unconditionalExclude>** element takes precedence over the **<include>** element.
|
||||||
|
|
||||||
```xml
|
```xml
|
||||||
<?xml version="1.0" encoding="UTF-8"?>
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
@ -275,12 +276,13 @@ You can create and modify a `Config.xml` file if you want to exclude components
|
|||||||
|
|
||||||
- **To exclude an operating system setting:** Specify `migrate="no"` for the setting under the **<WindowsComponents>** section.
|
- **To exclude an operating system setting:** Specify `migrate="no"` for the setting under the **<WindowsComponents>** section.
|
||||||
|
|
||||||
- **To exclude My Documents:** Specify `migrate="no"` for **My Documents** under the **<Documents>** section. Note that any **<include>** rules in the .xml files will still apply. For example, if you have a rule that includes all the .docx files in My Documents, then only the .docx files will be migrated, but the rest of the files won't.
|
- **To exclude My Documents:** Specify `migrate="no"` for **My Documents** under the **<Documents>** section. Any **<include>** rules in the .xml files are still applied. For example, if you have a rule that includes all the .docx files in My Documents, then .docx files are still migrated. However, any additional files that aren't .docx aren't migrated.
|
||||||
|
|
||||||
For more information, see [Config.xml File](usmt-configxml-file.md).
|
For more information, see [Config.xml File](usmt-configxml-file.md).
|
||||||
|
|
||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> To exclude a component from the `Config.xml` file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the `Config.xml` file will not exclude the component from your migration.
|
>
|
||||||
|
> To exclude a component from the `Config.xml` file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the `Config.xml` file doesn't exclude the component from your migration.
|
||||||
|
|
||||||
## Related articles
|
## Related articles
|
||||||
|
|
||||||
|
@ -13,15 +13,15 @@ The following table lists the available settings to configure the UAC behavior,
|
|||||||
|
|
||||||
|Setting name| Description|
|
|Setting name| Description|
|
||||||
|-|-|
|
|-|-|
|
||||||
|Run all administrators in Admin Approval Mode|Controls the behavior of all UAC policy settings.<br><br>**Enabled (default)**: Admin Approval Mode is enabled. This policy must be enabled and related UAC settings configured. The policy allows the built-in Administrator account and members of the Administrators group to run in Admin Approval Mode.<br>**Disabled**: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, **Windows Security** notifies you that the overall security of the operating system has been reduced.|
|
|
||||||
|Admin Approval Mode for the Built-in Administrator account|Controls the behavior of Admin Approval Mode for the built-in Administrator account.<br><br>**Enabled**: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege prompts the user to approve the operation.<br>**Disabled (default)**: The built-in Administrator account runs all applications with full administrative privilege.|
|
|Admin Approval Mode for the Built-in Administrator account|Controls the behavior of Admin Approval Mode for the built-in Administrator account.<br><br>**Enabled**: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege prompts the user to approve the operation.<br>**Disabled (default)**: The built-in Administrator account runs all applications with full administrative privilege.|
|
||||||
|Switch to the secure desktop when prompting for elevation|This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.<br><br>**Enabled (default)**: All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.<br>**Disabled**: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.|
|
|Allow UIAccess applications to prompt for elevation without using the secure desktop|Controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.<br><br>**Enabled**: UIA programs, including Remote Assistance, automatically disable the secure desktop for elevation prompts. If you don't disable the **Switch to the secure desktop when prompting for elevation** policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. This setting allows the remote administrator to provide the appropriate credentials for elevation. This policy setting doesn't change the behavior of the UAC elevation prompt for administrators. If you plan to enable this policy setting, you should also review the effect of the **Behavior of the elevation prompt for standard users** policy setting: if it's' configured as **Automatically deny elevation requests**, elevation requests aren't presented to the user.<br>**Disabled (default)**: The secure desktop can be disabled only by the user of the interactive desktop or by disabling the **Switch to the secure desktop when prompting for elevation** policy setting.|
|
||||||
|Behavior of the elevation prompt for administrators in Admin Approval Mode|Controls the behavior of the elevation prompt for administrators.<br><br>**Elevate without prompting**: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. **Use this option only in the most constrained environments**.<br>**Prompt for credentials on the secure desktop**: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.<br>**Prompt for consent on the secure desktop**: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.<br>**Prompt for credentials**: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.<br>**Prompt for consent**: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.<br>**Prompt for consent for non-Windows binaries (default)**: When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.|
|
|Behavior of the elevation prompt for administrators in Admin Approval Mode|Controls the behavior of the elevation prompt for administrators.<br><br>**Elevate without prompting**: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. **Use this option only in the most constrained environments**.<br>**Prompt for credentials on the secure desktop**: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.<br>**Prompt for consent on the secure desktop**: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.<br>**Prompt for credentials**: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.<br>**Prompt for consent**: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.<br>**Prompt for consent for non-Windows binaries (default)**: When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.|
|
||||||
|Behavior of the elevation prompt for standard users|Controls the behavior of the elevation prompt for standard users.<br><br>**Prompt for credentials (default)**: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.<br>**Automatically deny elevation requests**: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.<br>**Prompt for credentials on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.|
|
|Behavior of the elevation prompt for standard users|Controls the behavior of the elevation prompt for standard users.<br><br>**Prompt for credentials (default)**: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.<br>**Automatically deny elevation requests**: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.<br>**Prompt for credentials on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.|
|
||||||
|Detect application installations and prompt for elevation|Controls the behavior of application installation detection for the computer.<br><br>**Enabled (default)**: When an app installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.<br>**Disabled**: App installation packages aren't detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Microsoft Intune, should disable this policy setting. In this case, installer detection is unnecessary. |
|
|Detect application installations and prompt for elevation|Controls the behavior of application installation detection for the computer.<br><br>**Enabled (default)**: When an app installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.<br>**Disabled**: App installation packages aren't detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Microsoft Intune, should disable this policy setting. In this case, installer detection is unnecessary. |
|
||||||
|Only elevate executables that are signed and validated|Enforces signature checks for any interactive applications that request elevation of privilege. IT admins can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local devices.<br><br>**Enabled**: Enforces the certificate certification path validation for a given executable file before it's permitted to run.<br>**Disabled (default)**: Doesn't enforce the certificate certification path validation before a given executable file is permitted to run.|
|
|Only elevate executables that are signed and validated|Enforces signature checks for any interactive applications that request elevation of privilege. IT admins can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local devices.<br><br>**Enabled**: Enforces the certificate certification path validation for a given executable file before it's permitted to run.<br>**Disabled (default)**: Doesn't enforce the certificate certification path validation before a given executable file is permitted to run.|
|
||||||
|Only elevate UIAccess applications that are installed in secure locations|Controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following folders:<br>- `%ProgramFiles%`, including subfolders<br>- `%SystemRoot%\system32\`<br>- `%ProgramFiles(x86)%`, including subfolders<br><br><br>**Enabled (default)**: If an app resides in a secure location in the file system, it runs only with UIAccess integrity.<br>**Disabled**: An app runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.<br><br>**Note:** Windows enforces a digital signature check on any interactive apps that requests to run with a UIAccess integrity level regardless of the state of this setting.|
|
|Only elevate UIAccess applications that are installed in secure locations|Controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following folders:<br>- `%ProgramFiles%`, including subfolders<br>- `%SystemRoot%\system32\`<br>- `%ProgramFiles(x86)%`, including subfolders<br><br><br>**Enabled (default)**: If an app resides in a secure location in the file system, it runs only with UIAccess integrity.<br>**Disabled**: An app runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.<br><br>**Note:** Windows enforces a digital signature check on any interactive apps that requests to run with a UIAccess integrity level regardless of the state of this setting.|
|
||||||
|Allow UIAccess applications to prompt for elevation without using the secure desktop|Controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.<br><br>**Enabled**: UIA programs, including Remote Assistance, automatically disable the secure desktop for elevation prompts. If you don't disable the **Switch to the secure desktop when prompting for elevation** policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. This setting allows the remote administrator to provide the appropriate credentials for elevation. This policy setting doesn't change the behavior of the UAC elevation prompt for administrators. If you plan to enable this policy setting, you should also review the effect of the **Behavior of the elevation prompt for standard users** policy setting: if it's' configured as **Automatically deny elevation requests**, elevation requests aren't presented to the user.<br>**Disabled (default)**: The secure desktop can be disabled only by the user of the interactive desktop or by disabling the **Switch to the secure desktop when prompting for elevation** policy setting.|
|
|Run all administrators in Admin Approval Mode|Controls the behavior of all UAC policy settings.<br><br>**Enabled (default)**: Admin Approval Mode is enabled. This policy must be enabled and related UAC settings configured. The policy allows the built-in Administrator account and members of the Administrators group to run in Admin Approval Mode.<br>**Disabled**: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, **Windows Security** notifies you that the overall security of the operating system has been reduced.|
|
||||||
|
|Switch to the secure desktop when prompting for elevation|This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.<br><br>**Enabled (default)**: All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.<br>**Disabled**: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.|
|
||||||
|Virtualize File And Registry Write Failures To Per User Locations|Controls whether application write failures are redirected to defined registry and file system locations. This setting mitigates applications that run as administrator and write run-time application data to `%ProgramFiles%`, `%Windir%`, `%Windir%\system32`, or `HKLM\Software`.<br><br>**Enabled (default)**: App write failures are redirected at run time to defined user locations for both the file system and registry.<br>**Disabled**: Apps that write data to protected locations fail.|
|
|Virtualize File And Registry Write Failures To Per User Locations|Controls whether application write failures are redirected to defined registry and file system locations. This setting mitigates applications that run as administrator and write run-time application data to `%ProgramFiles%`, `%Windir%`, `%Windir%\system32`, or `HKLM\Software`.<br><br>**Enabled (default)**: App write failures are redirected at run time to defined user locations for both the file system and registry.<br>**Disabled**: Apps that write data to protected locations fail.|
|
||||||
|
|
||||||
## User Account Control configuration
|
## User Account Control configuration
|
||||||
@ -50,15 +50,15 @@ The policy settings are located under: `./Device/Vendor/MSFT/Policy/Config/Local
|
|||||||
|
|
||||||
|Setting|
|
|Setting|
|
||||||
| - |
|
| - |
|
||||||
| **Setting name**: Run all administrators in Admin Approval Mode<br>**Policy CSP name**: `UserAccountControl_RunAllAdministratorsInAdminApprovalMode`|
|
|
||||||
| **Setting name**: Admin Approval Mode for the built-in Administrator account<br>**Policy CSP name**: `UserAccountControl_UseAdminApprovalMode`|
|
| **Setting name**: Admin Approval Mode for the built-in Administrator account<br>**Policy CSP name**: `UserAccountControl_UseAdminApprovalMode`|
|
||||||
| **Setting name**: Switch to the secure desktop when prompting for elevation<br>**Policy CSP name**: `UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation`|
|
| **Setting name**: Allow UIAccess applications to prompt for elevation without using the secure desktop<br>**Policy CSP name**: `UserAccountControl_AllowUIAccessApplicationsToPromptForElevation`|
|
||||||
| **Setting name**: Behavior of the elevation prompt for administrators in Admin Approval Mode<br>**Policy CSP name**: `UserAccountControl_BehaviorOfTheElevationPromptForAdministrators`|
|
| **Setting name**: Behavior of the elevation prompt for administrators in Admin Approval Mode<br>**Policy CSP name**: `UserAccountControl_BehaviorOfTheElevationPromptForAdministrators`|
|
||||||
| **Setting name**: Behavior of the elevation prompt for standard users<br>**Policy CSP name**: `UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers`|
|
| **Setting name**: Behavior of the elevation prompt for standard users<br>**Policy CSP name**: `UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers`|
|
||||||
| **Setting name**: Detect application installations and prompt for elevation<br>**Policy CSP name**: `UserAccountControl_DetectApplicationInstallationsAndPromptForElevation`|
|
| **Setting name**: Detect application installations and prompt for elevation<br>**Policy CSP name**: `UserAccountControl_DetectApplicationInstallationsAndPromptForElevation`|
|
||||||
| **Setting name**: Only elevate executables that are signed and validated<br>**Policy CSP name**: `UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated`|
|
| **Setting name**: Only elevate executables that are signed and validated<br>**Policy CSP name**: `UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated`|
|
||||||
| **Setting name**: Only elevate UIAccess applications that are installed in secure locations<br>**Policy CSP name**: `UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations`|
|
| **Setting name**: Only elevate UIAccess applications that are installed in secure locations<br>**Policy CSP name**: `UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations`|
|
||||||
| **Setting name**: Allow UIAccess applications to prompt for elevation without using the secure desktop<br>**Policy CSP name**: `UserAccountControl_AllowUIAccessApplicationsToPromptForElevation`|
|
| **Setting name**: Run all administrators in Admin Approval Mode<br>**Policy CSP name**: `UserAccountControl_RunAllAdministratorsInAdminApprovalMode`|
|
||||||
|
| **Setting name**: Switch to the secure desktop when prompting for elevation<br>**Policy CSP name**: `UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation`|
|
||||||
| **Setting name**: Virtualize file and registry write failures to per-user locations<br>**Policy CSP name**: `UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations`|
|
| **Setting name**: Virtualize file and registry write failures to per-user locations<br>**Policy CSP name**: `UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations`|
|
||||||
|
|
||||||
#### [:::image type="icon" source="../../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
|
#### [:::image type="icon" source="../../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
|
||||||
@ -69,15 +69,15 @@ The policy settings are located under: `Computer Configuration\Windows Settings\
|
|||||||
|
|
||||||
| Group Policy setting |Default value|
|
| Group Policy setting |Default value|
|
||||||
| - | - |
|
| - | - |
|
||||||
|User Account Control: Run all administrators in Admin Approval Mode| Enabled |
|
|
||||||
|User Account Control: Admin Approval Mode for the built-in Administrator account| Disabled |
|
|User Account Control: Admin Approval Mode for the built-in Administrator account| Disabled |
|
||||||
|User Account Control: Switch to the secure desktop when prompting for elevation | Enabled |
|
|User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop| Disabled |
|
||||||
|User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode| Prompt for consent for non-Windows binaries |
|
|User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode| Prompt for consent for non-Windows binaries |
|
||||||
|User Account Control: Behavior of the elevation prompt for standard users | Prompt for credentials |
|
|User Account Control: Behavior of the elevation prompt for standard users | Prompt for credentials |
|
||||||
|User Account Control: Detect application installations and prompt for elevation| Enabled (default for home only)<br />Disabled (default) |
|
|User Account Control: Detect application installations and prompt for elevation| Enabled (default for home edition only)<br />Disabled (default) |
|
||||||
|User Account Control: Only elevate executables that are signed and validated| Disabled |
|
|User Account Control: Only elevate executables that are signed and validated| Disabled |
|
||||||
|User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled |
|
|User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled |
|
||||||
|User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop| Disabled |
|
|User Account Control: Run all administrators in Admin Approval Mode| Enabled |
|
||||||
|
|User Account Control: Switch to the secure desktop when prompting for elevation | Enabled |
|
||||||
|User Account Control: Virtualize file and registry write failures to per-user locations | Enabled |
|
|User Account Control: Virtualize file and registry write failures to per-user locations | Enabled |
|
||||||
|
|
||||||
#### [:::image type="icon" source="../../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg)
|
#### [:::image type="icon" source="../../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg)
|
||||||
@ -86,15 +86,15 @@ The registry keys are found under the key: `HKLM:\SOFTWARE\Microsoft\Windows\Cur
|
|||||||
|
|
||||||
| Setting name | Registry key name | Value |
|
| Setting name | Registry key name | Value |
|
||||||
| - | - | - |
|
| - | - | - |
|
||||||
| Run all administrators in Admin Approval Mode | `EnableLUA` | 0 = Disabled<br>1 (Default) = Enabled |
|
|
||||||
| Admin Approval Mode for the built-in Administrator account | `FilterAdministratorToken` | 0 (Default) = Disabled<br>1 = Enabled |
|
| Admin Approval Mode for the built-in Administrator account | `FilterAdministratorToken` | 0 (Default) = Disabled<br>1 = Enabled |
|
||||||
| Switch to the secure desktop when prompting for elevation| `PromptOnSecureDesktop` | 0 = Disabled<br>1 (Default) = Enabled |
|
| Allow UIAccess applications to prompt for elevation without using the secure desktop | `EnableUIADesktopToggle` | 0 (Default) = Disabled<br>1 = Enabled |
|
||||||
| Behavior of the elevation prompt for administrators in Admin Approval Mode| `ConsentPromptBehaviorAdmin` | 0 = Elevate without prompting<br>1 = Prompt for credentials on the secure desktop<br>2 = Prompt for consent on the secure desktop<br>3 = Prompt for credentials<br>4 = Prompt for consent<br>5 (Default) = Prompt for consent for non-Windows binaries|
|
| Behavior of the elevation prompt for administrators in Admin Approval Mode| `ConsentPromptBehaviorAdmin` | 0 = Elevate without prompting<br>1 = Prompt for credentials on the secure desktop<br>2 = Prompt for consent on the secure desktop<br>3 = Prompt for credentials<br>4 = Prompt for consent<br>5 (Default) = Prompt for consent for non-Windows binaries|
|
||||||
| Behavior of the elevation prompt for standard users | `ConsentPromptBehaviorUser` | 0 = Automatically deny elevation requests<br>1 = Prompt for credentials on the secure desktop<br>3 (Default) = Prompt for credentials |
|
| Behavior of the elevation prompt for standard users | `ConsentPromptBehaviorUser` | 0 = Automatically deny elevation requests<br>1 = Prompt for credentials on the secure desktop<br>3 (Default) = Prompt for credentials |
|
||||||
| Detect application installations and prompt for elevation | `EnableInstallerDetection` | 1 = Enabled (default for home only)<br>0 = Disabled (default) |
|
| Detect application installations and prompt for elevation | `EnableInstallerDetection` | 1 = Enabled (default for home only)<br>0 = Disabled (default) |
|
||||||
| Only elevate executables that are signed and validated | `ValidateAdminCodeSignatures` | 0 (Default) = Disabled<br>1 = Enabled |
|
| Only elevate executables that are signed and validated | `ValidateAdminCodeSignatures` | 0 (Default) = Disabled<br>1 = Enabled |
|
||||||
| Only elevate UIAccess applications that are installed in secure locations | `EnableSecureUIAPaths` | 0 = Disabled<br>1 (Default) = Enabled |
|
| Only elevate UIAccess applications that are installed in secure locations | `EnableSecureUIAPaths` | 0 = Disabled<br>1 (Default) = Enabled |
|
||||||
| Allow UIAccess applications to prompt for elevation without using the secure desktop | `EnableUIADesktopToggle` | 0 (Default) = Disabled<br>1 = Enabled |
|
| Run all administrators in Admin Approval Mode | `EnableLUA` | 0 = Disabled<br>1 (Default) = Enabled |
|
||||||
|
| Switch to the secure desktop when prompting for elevation| `PromptOnSecureDesktop` | 0 = Disabled<br>1 (Default) = Enabled |
|
||||||
| Virtualize file and registry write failures to per-user locations | `EnableVirtualization` | 0 = Disabled<br>1 (Default) = Enabled |
|
| Virtualize file and registry write failures to per-user locations | `EnableVirtualization` | 0 = Disabled<br>1 (Default) = Enabled |
|
||||||
|
|
||||||
[WIN-1]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions
|
[WIN-1]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions
|
||||||
|
Loading…
x
Reference in New Issue
Block a user